| CISC-ND-000010 - The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000090 - The Cisco router must be configured to automatically audit account creation. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000160 - The Cisco router must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000290 - The Cisco router must produce audit records containing information to establish where the events occurred. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000390 - The Cisco router must be configured to protect audit information from unauthorized deletion. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000460 - The Cisco router must be configured to limit privileges to change the software resident within software libraries. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-ND-000490 - The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000620 - The Cisco router must only store cryptographic representations of passwords. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-ND-001220 - The Cisco router must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-001410 - The Cisco router must be configured to back up the configuration when changes occur. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING |
| CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-001450 - The Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the ISSO. | DISA Cisco IOS Router NDM STIG v3r6 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000120 - The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000180 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000200 - The Cisco router must be configured to log all packets that have been dropped at interfaces via an ACL. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000210 - The Cisco router must be configured to produce audit records containing information to establish where the events occurred. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000236 - The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000240 - The Cisco perimeter router must be configured to deny network traffic by default and allow network traffic by exception. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000260 - The Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000290 - The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an approved gateway service provider. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000300 - The Cisco perimeter router must be configured to not redistribute static routes to an approved gateway service provider into BGP, an IGP peering with the NIPRNet, or other autonomous systems. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000320 - The Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000360 - The Cisco perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000380 - The Cisco perimeter router must be configured to have Proxy ARP disabled on all external interfaces. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000390 - The Cisco perimeter router must be configured to block all outbound management traffic. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000391 - The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000392 - The Cisco perimeter router must be configured to drop IPv6 undetermined transport packets. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000393 - The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000396 - The Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000397 - The Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000410 - The Cisco out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC). | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000470 - The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM). | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000490 - The Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000510 - The Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000520 - The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS). | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000550 - The Cisco BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000580 - The Cisco BGP router must be configured to use its loopback address as the source address for iBGP peering sessions. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000590 - The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000620 - The Cisco MPLS router must be configured to have TTL Propagation disabled. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000630 - The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000640 - The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT). | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000650 - The Cisco PE router must be configured to have each VRF with the appropriate Route Distinguisher (RD). | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000670 - The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000760 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000780 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000800 - The Cisco multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000840 - The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000890 - The Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000900 - The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000950 - The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to use a loopback address as the source address when originating MSDP traffic. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
